Good Morning Everlasting!

[CienFuegos]

33 minutes ago, Hugbert said:

Just run a search in windows explorer. Hopefully you won't find it at all. If you do figure out what application it is associated with, it should be in the same folder structure right. The one I found was in SQL Developer I had used for a class I took. I just deleted the entire application. If you find it in an application you need, check the vendor website for fixes.

 

 

Puppeh lifts one ear and looks confuzzled a whatis?

[Hugbert]

A whatis what Puppeh? Which part is confusing?

[CienFuegos]

17 hours ago, Hugbert said:

A whatis what Puppeh? Which part is confusing?

points to all of it 

[Hugbert]

Search your machine using windows explorer. If you find log4j-core either remove it, or check with the application support website on remediation. It's a bad file that can let bad people do bad things.

[CienFuegos]

On 12/21/2021 at 9:38 AM, Hugbert said:

Search your machine using windows explorer. If you find log4j-core either remove it, or check with the application support website on remediation. It's a bad file that can let bad people do bad things.

what kinda bad things? 

[Hugbert]

Umm basically allow someone to take over the computer.

[Nerva]

19 hours ago, CienFuegos said:

what kinda bad things? 

 

Apache Log4j is an open-source logger component used in Java applications made by Apache, as well applications by other developers with embedded Apache components, like Minecraft: Java Edition.  When the component attempts to parse a specially-crafted string of input, arbitrary code execution becomes possible.

 

Meaning that a hacker can send it the right signal and make it run anything they want, at any level of permission they want.

 

Since the component is a logger, to send the signal all you have to do is get it to log an event with the correct string in place.  For instance, a login page with the Log4j component could be made to log a malformed username to recieve the malicious string.

 

If you want to learn more, this article on the Microsoft Blog and these two CVEs have a broader overview and more technical specifications on the vulnerability.

 

For the TL;DR: First do a search on your computer for Log4j-core.  It'll be a folder within a java application's directory (when I found it, it was in the .minecraft directory).  You should be able to see its version number in its name.  If it's one of the vulnerable versions, the best course of action is to find an update for the component - usually by updating the associated program.  So if you find it in .minecraft like I did, make sure you update Minecraft and then search again to see if it's still using the malfunctioning logger.

 

Versions 2.0.0 through 2.15.0 are affected by this vulnerability.  The versions you want to update to are:

 

Java 8: use Log4j version 2.16.0 or newer

Java 7: use Log4j version 2.12.2

 

Consider removing applications that use a vulnerable version of this component that can't be updated.  There are a few workarounds, but they're difficult to implement.  Since I don't play Minecraft anymore, I just uninstalled it and then deleted the entire .minecraft directory.

 

Edited December 24, 2021 by Nerva
Small correction, it's a java program component, not a full program in its own right

[Hugbert]

There is a small update on that, 2.16 was compromised already, you want 2.17. Minecraft was one of the first programs it was noticed in as players were sending the attack string through in game chat. Best bet if you don't need log4j-cre on your machine, remove it entirely. One security researcher even found a way to leverage the bug through use of websockets on a website. So just going to the website could compromise your machine. This one is bad, like a whole new level of bad.

[Nerva]

15 hours ago, Hugbert said:

There is a small update on that, 2.16 was compromised already, you want 2.17. Minecraft was one of the first programs it was noticed in as players were sending the attack string through in game chat. Best bet if you don't need log4j-cre on your machine, remove it entirely.

 

Yeesh.  Yeah, that's pretty nuts.  But there's this bit that I'm curious about:

 

15 hours ago, Hugbert said:

One security researcher even found a way to leverage the bug through use of websockets on a website. So just going to the website could compromise your machine. This one is bad, like a whole new level of bad.

 

Like, I though the code vulnerability only allowed compromising the machine where the Log4j component is actually running.

 

Going to a website designed to exploit a bad Log4j logger would only wind up hacking the server the site is stored on, since it's the site's own logger component that's processing the malformed input. So unless the website can stick a Log4j component on your machine in an internet-facing position (admittedly, not entirely impossible given the existence of chromium plugins, malware, and social engineering) and then have a site write something to your log, I don't see how a visitor to a site can be hacked this way.

 

Am I misunderstanding something here?

 

Edited December 25, 2021 by Nerva
Allowing for reasonable doubt

[Hugbert]

If log4j is installed on your local machine, say by the minecraft client, they can use a websocket to find and load it into memory and then execute the hack on your machine. Even if you are not actively running a webserver.

 

https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/

 

This was a nasty development last week.

[Nerva]

1 hour ago, Hugbert said:

If log4j is installed on your local machine, say by the minecraft client, they can use a websocket to find and load it into memory and then execute the hack on your machine. Even if you are not actively running a webserver.

 

https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/

 

This was a nasty development last week.

 

Oh, ew.  I don't use this term lightly, but that is outright fugly.  Crap, and that article was posted barely more than a week ago.  Yeah, I'mma just double-check for this component and destroy any instances I find.  I don't need any java-integrated software that much that I'm willing to risk it.

 

Edited December 25, 2021 by Nerva
Small addition

[Hugbert]

It took an ugly situation and made it WAY worse. That is why I am trying to warn people, this shouldn't happen to anyone.

[CienFuegos]

very good information ty @Nerva and @Hugbert

[CienFuegos]

its chilly today it almost 55!...collects rooks feathers and begins making a down feather blanket 

turns on oven and thermostat to 75 sends bill to @Hugbert and @rookery.

Edited December 27, 2021 by CienFuegos

[Hugbert]

*Boggles, has the furnace removed and shipped to Siberia!*

[CienFuegos]

2 hours ago, Hugbert said:

*Boggles, has the furnace removed and shipped to Siberia!*

noooo not me furance,,,soooo cold...turns into a puppysicle~

[Hugbert]

*Builds fire in the fire place!*

 

Dis much nicer! We can gather round under blankets and sing songs!

[SoylentPlaid]

*buries the puppet in a giant pile of toast*

 

There...nice and toasty 

 

=^.^=

 

*NinjaGairyKittyBadPunWhatBadPunVanish*

[CienFuegos]

23 minutes ago, SoylentPlaid said:

*buries the puppet in a giant pile of toast*

 

There...nice and toasty 

 

=^.^=

 

*NinjaGairyKittyBadPunWhatBadPunVanish*

mmm toast .... noms his way out 

btw @SoylentPlaid its * ninjaFairyKittybadPunWhatBadPunVanish* 

[SoylentPlaid]

=O.O=

 

 

[CienFuegos]

32 minutes ago, SoylentPlaid said:

=O.O=

 

 

><

[Hugbert]

*Sticks the toast to the puppeh with vegemite!*

[CienFuegos]

2 hours ago, Hugbert said:

*Sticks the toast to the puppeh with vegemite!*

id rather you use bacon oil....

[Hugbert]

Dis was not for you, was to make me laugh!

[CienFuegos]

39 minutes ago, Hugbert said:

Dis was not for you, was to make me laugh!

pounces fedor and includes him in the vegemite toast mosh as they begin rolling down a hill.....they turn into a toast ball...